[libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter
David Stevens
dlstevens at us.ibm.com
Tue May 10 15:25:13 UTC 2011
"Daniel P. Berrange" <berrange at redhat.com> wrote on 05/10/2011 02:28:25
AM:
> From: "Daniel P. Berrange" <berrange at redhat.com>
> To: David Stevens/Beaverton/IBM at IBMUS
> Cc: libvirt-list at redhat.com
> Date: 05/10/2011 02:32 AM
> Subject: Re: [libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter
>
> On Mon, May 09, 2011 at 01:12:10PM -0700, David L Stevens wrote:
> > This patch removes remaining pieces of IP address learning.
>
> Do we actually want todo this ? This is effectively causing a
> regression in functionality for anyone who's relying on the
> current IP learning support, but who does not use DHCP.
I think there is no security at all in believing a guest's notion
of what its own IP address is. Static addresses can still be used, but
I don't see the point of allowing a guest to choose which address it
can use (including a spoof address) and doing any filtering at all.
I didn't include it in this set, but implicit in using DHCP
snooping is having a list of trusted DHCP servers. As that is just
an ordinary filter addition in examples with no (non-XML) code
changes, I thought I'd get this discussion kicked off first.
Patches I had in mind but didn't include here:
p10 - add support for multiple MAC addresses via comma-separated lists
(e.g., support '54:0:0:0:0:0:1,54:1:2:3:4:5' as a MAC
specification)
p11 - add support for multiple static IP addresses via comma-separated
lists
p12 - add a filter in examples/xml/nwfilter for dropping DHCP server
traffic not in a trusted list.
+-DLS
More information about the libvir-list
mailing list